date:20160928

Re: [RFC] Build ANDROID_HOST=y on mac

2016-09-28 Thread William Roberts

On Sep 28, 2016 17:07, "Joshua Brindle"  wrote:
>
> William Roberts wrote:
>>
>> On Sep 28, 2016 16:54, "Joshua Brindle"
wrote:
>>>
>>> Joshua Brindle wrote:

 William Roberts wrote:
>
>  From commit 35d702 on
> https://github.com/williamcroberts/selinux/tree/fix-mac
>
> I have a branch that is building on my elcapitan mac, requesting any
> comments anyone
> wishes to make, before I send them out.
>
> If you wish to test, this is the procedure
>
> 1. Build libsepol (assumes at root of tree)
> a, cd libsepol
> b. make
> 2. Build libselinux
> a. cd libselinux (assumes at root of tree)
> b. make ANDROID_HOST=y
>
 This works for me.
>>>
>>>
>>> make install DESTDIR=/tmp/someidr mostly works, Mac ln does not support
>>
>> --relative so that fails. ANDROID_HOST also needs to be set in the top
>> level makefile so that it propagates down:
>>>
>>> ANDROID_HOST ?= n
>>
>>
>> Yeah install doesn't work on Mac, that's why for Darwin we just set the
>> path to the libsepol location for sefcontext_compile.
>>
>> As for ANDROID_HOST, why does it need to go higher? It's only used in
>> libselinux and is declared and used just like DISABLE_SETRANS...I'm not
>> following you?
>>
>
> Because I was building from the top, basically seeing if I could get a
usable toolchain out of it, but that looks like it would require a bit more
work.

Ahh yeah, that won't work yet, but that would be nice.

>
>
>>>

> This essentially gets us to where a build server/maintainer
> can test patches quickly on mac, with some assurance
> it's not busted without downloading all of Android.
>
> It's still wise to check in an Android tree if possible IMHO.
>
>>
>
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [RFC] Build ANDROID_HOST=y on mac

2016-09-28 Thread Joshua Brindle


William Roberts wrote:

On Sep 28, 2016 16:54, "Joshua Brindle"  wrote:

Joshua Brindle wrote:

William Roberts wrote:

 From commit 35d702 on
https://github.com/williamcroberts/selinux/tree/fix-mac

I have a branch that is building on my elcapitan mac, requesting any
comments anyone
wishes to make, before I send them out.

If you wish to test, this is the procedure

1. Build libsepol (assumes at root of tree)
a, cd libsepol
b. make
2. Build libselinux
a. cd libselinux (assumes at root of tree)
b. make ANDROID_HOST=y


This works for me.


make install DESTDIR=/tmp/someidr mostly works, Mac ln does not support

--relative so that fails. ANDROID_HOST also needs to be set in the top
level makefile so that it propagates down:

ANDROID_HOST ?= n


Yeah install doesn't work on Mac, that's why for Darwin we just set the
path to the libsepol location for sefcontext_compile.

As for ANDROID_HOST, why does it need to go higher? It's only used in
libselinux and is declared and used just like DISABLE_SETRANS...I'm not
following you?



Because I was building from the top, basically seeing if I could get a 
usable toolchain out of it, but that looks like it would require a bit 
more work.







This essentially gets us to where a build server/maintainer
can test patches quickly on mac, with some assurance
it's not busted without downloading all of Android.

It's still wise to check in an Android tree if possible IMHO.





___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [RFC] Build ANDROID_HOST=y on mac

2016-09-28 Thread Joshua Brindle


Joshua Brindle wrote:

William Roberts wrote:

From commit 35d702 on
https://github.com/williamcroberts/selinux/tree/fix-mac

I have a branch that is building on my elcapitan mac, requesting any
comments anyone
wishes to make, before I send them out.

If you wish to test, this is the procedure

1. Build libsepol (assumes at root of tree)
a, cd libsepol
b. make
2. Build libselinux
a. cd libselinux (assumes at root of tree)
b. make ANDROID_HOST=y



This works for me.


make install DESTDIR=/tmp/someidr mostly works, Mac ln does not support 
--relative so that fails. ANDROID_HOST also needs to be set in the top 
level makefile so that it propagates down:


ANDROID_HOST ?= n





This essentially gets us to where a build server/maintainer
can test patches quickly on mac, with some assurance
it's not busted without downloading all of Android.

It's still wise to check in an Android tree if possible IMHO.





___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [RFC] Build ANDROID_HOST=y on mac

2016-09-28 Thread Joshua Brindle


William Roberts wrote:

 From commit 35d702 on https://github.com/williamcroberts/selinux/tree/fix-mac

I have a branch that is building on my elcapitan mac, requesting any
comments anyone
wishes to make, before I send them out.

If you wish to test, this is the procedure

1. Build libsepol (assumes at root of tree)
 a,  cd libsepol
 b. make
2. Build libselinux
 a. cd libselinux (assumes at root of tree)
 b. make ANDROID_HOST=y



This works for me.



This essentially gets us to where a build server/maintainer
can test patches quickly on mac, with some assurance
it's not busted without downloading all of Android.

It's still wise to check in an Android tree if possible IMHO.



___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[RFC] Build ANDROID_HOST=y on mac

2016-09-28 Thread William Roberts

>From commit 35d702 on https://github.com/williamcroberts/selinux/tree/fix-mac

I have a branch that is building on my elcapitan mac, requesting any
comments anyone
wishes to make, before I send them out.

If you wish to test, this is the procedure

1. Build libsepol (assumes at root of tree)
a,  cd libsepol
b. make
2. Build libselinux
a. cd libselinux (assumes at root of tree)
b. make ANDROID_HOST=y

This essentially gets us to where a build server/maintainer
can test patches quickly on mac, with some assurance
it's not busted without downloading all of Android.

It's still wise to check in an Android tree if possible IMHO.

-- 
Respectfully,

William C Roberts
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: android: fix lax service context lookup

2016-09-28 Thread Stephen Smalley

On 09/28/2016 12:35 PM, Janis Danisevskis wrote:
> 
> 
> On Wed, Sep 28, 2016 at 5:17 PM, Stephen Smalley  > wrote:
> 
> On 09/28/2016 12:04 PM, Janis Danisevskis wrote:
> > We use the same lookup function for service contexts
> > that we use for property contexts. However, property
> > contexts are namespace based and only compare the
> > prefix. This may lead to service associations with
> > a wrong label.
> >
> > This patch introduces a stricter lookup function for
> > services contexts. Now the service name must match
> > the key of the service label exactly.
> >
> > Signed-off-by: Janis Danisevskis  >
> > ---
> >  libselinux/include/selinux/label.h  |  2 ++
> >  libselinux/src/label.c  |  1 +
> >  libselinux/src/label_android_property.c | 50 
> +
> >  libselinux/src/label_internal.h |  3 ++
> >  4 files changed, 56 insertions(+)
> 
> Normally each backend would go into its own file, so service would get
> its own.  Alternatively, since we are unlikely to ever support one
> without the other, perhaps label_android_property.c should be renamed to
> label_android.c and contain all of the Android-unique backends.
> 
> I was thinking along the same lines, was just eager to get home... I'll send
> a refactored patch by tomorrow.

Also, please update libselinux/utils/selabel_lookup.c and
selabel_digest.c to know about your new backend.
>  
> 
> >
> > diff --git a/libselinux/include/selinux/label.h 
> b/libselinux/include/selinux/label.h
> > index f0b1e10..277287e 100644
> > --- a/libselinux/include/selinux/label.h
> > +++ b/libselinux/include/selinux/label.h
> > @@ -34,6 +34,8 @@ struct selabel_handle;
> >  #define SELABEL_CTX_DB   3
> >  /* Android property service contexts */
> >  #define SELABEL_CTX_ANDROID_PROP 4
> > +/* Android service contexts */
> > +#define SELABEL_CTX_ANDROID_SERVICE 5
> >
> >  /*
> >   * Available options
> > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > index 96a4ff1..eb0e766 100644
> > --- a/libselinux/src/label.c
> > +++ b/libselinux/src/label.c
> > @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
> >   CONFIG_X_BACKEND(selabel_x_init),
> >   CONFIG_DB_BACKEND(selabel_db_init),
> >   _property_init,
> > + _service_init,
> 
> Wondering if we should support selective enablement of the property and
> service backends too, similar to what William introduced for media, x,
> and db so that he could disable them on Android (in our case, so we can
> disable property and service backends on Linux distributions).
> 
> 
> Oh, that is what these wrappers are for :-) . Sure.
>  
> 
> 
> >  };
> >
> >  static void selabel_subs_fini(struct selabel_sub *ptr)
> > diff --git a/libselinux/src/label_android_property.c
> b/libselinux/src/label_android_property.c
> > index 290b438..69d6afd 100644
> > --- a/libselinux/src/label_android_property.c
> > +++ b/libselinux/src/label_android_property.c
> > @@ -279,6 +279,38 @@ finish:
> >   return ret;
> >  }
> >
> > +static struct selabel_lookup_rec *service_lookup(struct
> selabel_handle *rec,
> > + const char *key, int __attribute__((unused)) type)
> > +{
> > + struct saved_data *data = (struct saved_data *)rec->data;
> > + spec_t *spec_arr = data->spec_arr;
> > + unsigned int i;
> > + struct selabel_lookup_rec *ret = NULL;
> > +
> > + if (!data->nspec) {
> > + errno = ENOENT;
> > + goto finish;
> > + }
> > +
> > + for (i = 0; i < data->nspec; i++) {
> > + if (strcmp(spec_arr[i].property_key, key) == 0)
> > + break;
> > + if (strcmp(spec_arr[i].property_key, "*") == 0)
> > + break;
> > + }
> > +
> > + if (i >= data->nspec) {
> > + /* No matching specification. */
> > + errno = ENOENT;
> > + goto finish;
> > + }
> > +
> > + ret = _arr[i].lr;
> > +
> > +finish:
> > + return ret;
> > +}
> > +
> >  static void stats(struct selabel_handle __attribute__((unused)) *rec)
> >  {
> >   selinux_log(SELINUX_WARNING, "'stats' functionality not
> implemented.\n");
> > @@ -302,3 +334,21 @@ int selabel_property_init(struct
> selabel_handle *rec,
> >
> >   return init(rec, opts, nopts);
> >  }
> > +
> > +int selabel_service_init(struct selabel_handle *rec,
> > + const struct selinux_opt *opts, unsigned nopts)
> > +{
> > + struct

Re: [PATCH] libselinux: android: fix lax service context lookup

2016-09-28 Thread Stephen Smalley

On 09/28/2016 12:43 PM, William Roberts wrote:
> On Wed, Sep 28, 2016 at 12:42 PM, Stephen Smalley  wrote:
>> On 09/28/2016 12:25 PM, William Roberts wrote:
>>> On Wed, Sep 28, 2016 at 12:17 PM, Stephen Smalley  
>>> wrote:
 On 09/28/2016 12:04 PM, Janis Danisevskis wrote:
> We use the same lookup function for service contexts
> that we use for property contexts. However, property
> contexts are namespace based and only compare the
> prefix. This may lead to service associations with
> a wrong label.
>
> This patch introduces a stricter lookup function for
> services contexts. Now the service name must match
> the key of the service label exactly.
>
> Signed-off-by: Janis Danisevskis 
> ---
>  libselinux/include/selinux/label.h  |  2 ++
>  libselinux/src/label.c  |  1 +
>  libselinux/src/label_android_property.c | 50 
> +
>  libselinux/src/label_internal.h |  3 ++
>  4 files changed, 56 insertions(+)

 Normally each backend would go into its own file, so service would get
 its own.  Alternatively, since we are unlikely to ever support one
 without the other, perhaps label_android_property.c should be renamed to
 label_android.c and contain all of the Android-unique backends.

>
> diff --git a/libselinux/include/selinux/label.h 
> b/libselinux/include/selinux/label.h
> index f0b1e10..277287e 100644
> --- a/libselinux/include/selinux/label.h
> +++ b/libselinux/include/selinux/label.h
> @@ -34,6 +34,8 @@ struct selabel_handle;
>  #define SELABEL_CTX_DB   3
>  /* Android property service contexts */
>  #define SELABEL_CTX_ANDROID_PROP 4
> +/* Android service contexts */
> +#define SELABEL_CTX_ANDROID_SERVICE 5
>
>  /*
>   * Available options
> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> index 96a4ff1..eb0e766 100644
> --- a/libselinux/src/label.c
> +++ b/libselinux/src/label.c
> @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
>   CONFIG_X_BACKEND(selabel_x_init),
>   CONFIG_DB_BACKEND(selabel_db_init),
>   _property_init,
> + _service_init,

 Wondering if we should support selective enablement of the property and
 service backends too, similar to what William introduced for media, x,
 and db so that he could disable them on Android (in our case, so we can
 disable property and service backends on Linux distributions).
>>>
>>> I was wondering that too, im for it. If ANDROID_HOST patch is applied, we
>>> should just set the defaults to strip them out and only on ANDROID_HOST=y
>>> add them in.
>>>
>>> We'd also need to coordinate with the AOSP patches, but I can
>>> routinely update those
>>> based on whats going on.
>>
>> I could be wrong, but I think we only need the property and service
>> backends on the target, not on the build host.  The file backend is
>> needed on the build host to label the filesystem images when they are
>> created.  We are likely only building the property backend on the host
>> because we don't allow conditionally excluding it presently.
> 
> checkfc I thought uses them for checking property and service backends?

Ah, you're right.  Never mind...

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: android: fix lax service context lookup

2016-09-28 Thread William Roberts

On Wed, Sep 28, 2016 at 12:42 PM, Stephen Smalley  wrote:
> On 09/28/2016 12:25 PM, William Roberts wrote:
>> On Wed, Sep 28, 2016 at 12:17 PM, Stephen Smalley  wrote:
>>> On 09/28/2016 12:04 PM, Janis Danisevskis wrote:
 We use the same lookup function for service contexts
 that we use for property contexts. However, property
 contexts are namespace based and only compare the
 prefix. This may lead to service associations with
 a wrong label.

 This patch introduces a stricter lookup function for
 services contexts. Now the service name must match
 the key of the service label exactly.

 Signed-off-by: Janis Danisevskis 
 ---
  libselinux/include/selinux/label.h  |  2 ++
  libselinux/src/label.c  |  1 +
  libselinux/src/label_android_property.c | 50 
 +
  libselinux/src/label_internal.h |  3 ++
  4 files changed, 56 insertions(+)
>>>
>>> Normally each backend would go into its own file, so service would get
>>> its own.  Alternatively, since we are unlikely to ever support one
>>> without the other, perhaps label_android_property.c should be renamed to
>>> label_android.c and contain all of the Android-unique backends.
>>>

 diff --git a/libselinux/include/selinux/label.h 
 b/libselinux/include/selinux/label.h
 index f0b1e10..277287e 100644
 --- a/libselinux/include/selinux/label.h
 +++ b/libselinux/include/selinux/label.h
 @@ -34,6 +34,8 @@ struct selabel_handle;
  #define SELABEL_CTX_DB   3
  /* Android property service contexts */
  #define SELABEL_CTX_ANDROID_PROP 4
 +/* Android service contexts */
 +#define SELABEL_CTX_ANDROID_SERVICE 5

  /*
   * Available options
 diff --git a/libselinux/src/label.c b/libselinux/src/label.c
 index 96a4ff1..eb0e766 100644
 --- a/libselinux/src/label.c
 +++ b/libselinux/src/label.c
 @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
   CONFIG_X_BACKEND(selabel_x_init),
   CONFIG_DB_BACKEND(selabel_db_init),
   _property_init,
 + _service_init,
>>>
>>> Wondering if we should support selective enablement of the property and
>>> service backends too, similar to what William introduced for media, x,
>>> and db so that he could disable them on Android (in our case, so we can
>>> disable property and service backends on Linux distributions).
>>
>> I was wondering that too, im for it. If ANDROID_HOST patch is applied, we
>> should just set the defaults to strip them out and only on ANDROID_HOST=y
>> add them in.
>>
>> We'd also need to coordinate with the AOSP patches, but I can
>> routinely update those
>> based on whats going on.
>
> I could be wrong, but I think we only need the property and service
> backends on the target, not on the build host.  The file backend is
> needed on the build host to label the filesystem images when they are
> created.  We are likely only building the property backend on the host
> because we don't allow conditionally excluding it presently.

checkfc I thought uses them for checking property and service backends?

>
> OTOH, being able to look things up on the build host could be useful
> from a development POV, e.g. if you were to add utils/selabel_lookup to
> the build host targets and kept the property and service backends in the
> host libselinux, then one could check what would match a given key.



-- 
Respectfully,

William C Roberts
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: android: fix lax service context lookup

2016-09-28 Thread Janis Danisevskis

On Wed, Sep 28, 2016 at 5:17 PM, Stephen Smalley  wrote:

> On 09/28/2016 12:04 PM, Janis Danisevskis wrote:
> > We use the same lookup function for service contexts
> > that we use for property contexts. However, property
> > contexts are namespace based and only compare the
> > prefix. This may lead to service associations with
> > a wrong label.
> >
> > This patch introduces a stricter lookup function for
> > services contexts. Now the service name must match
> > the key of the service label exactly.
> >
> > Signed-off-by: Janis Danisevskis 
> > ---
> >  libselinux/include/selinux/label.h  |  2 ++
> >  libselinux/src/label.c  |  1 +
> >  libselinux/src/label_android_property.c | 50
> +
> >  libselinux/src/label_internal.h |  3 ++
> >  4 files changed, 56 insertions(+)
>
> Normally each backend would go into its own file, so service would get
> its own.  Alternatively, since we are unlikely to ever support one
> without the other, perhaps label_android_property.c should be renamed to
> label_android.c and contain all of the Android-unique backends.
>
> I was thinking along the same lines, was just eager to get home... I'll
send
a refactored patch by tomorrow.


> >
> > diff --git a/libselinux/include/selinux/label.h
> b/libselinux/include/selinux/label.h
> > index f0b1e10..277287e 100644
> > --- a/libselinux/include/selinux/label.h
> > +++ b/libselinux/include/selinux/label.h
> > @@ -34,6 +34,8 @@ struct selabel_handle;
> >  #define SELABEL_CTX_DB   3
> >  /* Android property service contexts */
> >  #define SELABEL_CTX_ANDROID_PROP 4
> > +/* Android service contexts */
> > +#define SELABEL_CTX_ANDROID_SERVICE 5
> >
> >  /*
> >   * Available options
> > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > index 96a4ff1..eb0e766 100644
> > --- a/libselinux/src/label.c
> > +++ b/libselinux/src/label.c
> > @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
> >   CONFIG_X_BACKEND(selabel_x_init),
> >   CONFIG_DB_BACKEND(selabel_db_init),
> >   _property_init,
> > + _service_init,
>
> Wondering if we should support selective enablement of the property and
> service backends too, similar to what William introduced for media, x,
> and db so that he could disable them on Android (in our case, so we can
> disable property and service backends on Linux distributions).
>

Oh, that is what these wrappers are for :-) . Sure.


>
> >  };
> >
> >  static void selabel_subs_fini(struct selabel_sub *ptr)
> > diff --git a/libselinux/src/label_android_property.c
> b/libselinux/src/label_android_property.c
> > index 290b438..69d6afd 100644
> > --- a/libselinux/src/label_android_property.c
> > +++ b/libselinux/src/label_android_property.c
> > @@ -279,6 +279,38 @@ finish:
> >   return ret;
> >  }
> >
> > +static struct selabel_lookup_rec *service_lookup(struct selabel_handle
> *rec,
> > + const char *key, int __attribute__((unused)) type)
> > +{
> > + struct saved_data *data = (struct saved_data *)rec->data;
> > + spec_t *spec_arr = data->spec_arr;
> > + unsigned int i;
> > + struct selabel_lookup_rec *ret = NULL;
> > +
> > + if (!data->nspec) {
> > + errno = ENOENT;
> > + goto finish;
> > + }
> > +
> > + for (i = 0; i < data->nspec; i++) {
> > + if (strcmp(spec_arr[i].property_key, key) == 0)
> > + break;
> > + if (strcmp(spec_arr[i].property_key, "*") == 0)
> > + break;
> > + }
> > +
> > + if (i >= data->nspec) {
> > + /* No matching specification. */
> > + errno = ENOENT;
> > + goto finish;
> > + }
> > +
> > + ret = _arr[i].lr;
> > +
> > +finish:
> > + return ret;
> > +}
> > +
> >  static void stats(struct selabel_handle __attribute__((unused)) *rec)
> >  {
> >   selinux_log(SELINUX_WARNING, "'stats' functionality not
> implemented.\n");
> > @@ -302,3 +334,21 @@ int selabel_property_init(struct selabel_handle
> *rec,
> >
> >   return init(rec, opts, nopts);
> >  }
> > +
> > +int selabel_service_init(struct selabel_handle *rec,
> > + const struct selinux_opt *opts, unsigned nopts)
> > +{
> > + struct saved_data *data;
> > +
> > + data = (struct saved_data *)malloc(sizeof(*data));
> > + if (!data)
> > + return -1;
> > + memset(data, 0, sizeof(*data));
> > +
> > + rec->data = data;
> > + rec->func_close = 
> > + rec->func_stats = 
> > + rec->func_lookup = _lookup;
> > +
> > + return init(rec, opts, nopts);
> > +}
> > diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_
> internal.h
> > index 7c55531..6a9481a 100644
> > --- a/libselinux/src/label_internal.h
> > +++ b/libselinux/src/label_internal.h
> > @@ -39,6 +39,9 @@ int selabel_db_init(struct selabel_handle *rec,
> >  int selabel_property_init(struct

Re: [PATCH] libselinux: android: fix lax service context lookup

2016-09-28 Thread Stephen Smalley

On 09/28/2016 12:25 PM, William Roberts wrote:
> On Wed, Sep 28, 2016 at 12:17 PM, Stephen Smalley  wrote:
>> On 09/28/2016 12:04 PM, Janis Danisevskis wrote:
>>> We use the same lookup function for service contexts
>>> that we use for property contexts. However, property
>>> contexts are namespace based and only compare the
>>> prefix. This may lead to service associations with
>>> a wrong label.
>>>
>>> This patch introduces a stricter lookup function for
>>> services contexts. Now the service name must match
>>> the key of the service label exactly.
>>>
>>> Signed-off-by: Janis Danisevskis 
>>> ---
>>>  libselinux/include/selinux/label.h  |  2 ++
>>>  libselinux/src/label.c  |  1 +
>>>  libselinux/src/label_android_property.c | 50 
>>> +
>>>  libselinux/src/label_internal.h |  3 ++
>>>  4 files changed, 56 insertions(+)
>>
>> Normally each backend would go into its own file, so service would get
>> its own.  Alternatively, since we are unlikely to ever support one
>> without the other, perhaps label_android_property.c should be renamed to
>> label_android.c and contain all of the Android-unique backends.
>>
>>>
>>> diff --git a/libselinux/include/selinux/label.h 
>>> b/libselinux/include/selinux/label.h
>>> index f0b1e10..277287e 100644
>>> --- a/libselinux/include/selinux/label.h
>>> +++ b/libselinux/include/selinux/label.h
>>> @@ -34,6 +34,8 @@ struct selabel_handle;
>>>  #define SELABEL_CTX_DB   3
>>>  /* Android property service contexts */
>>>  #define SELABEL_CTX_ANDROID_PROP 4
>>> +/* Android service contexts */
>>> +#define SELABEL_CTX_ANDROID_SERVICE 5
>>>
>>>  /*
>>>   * Available options
>>> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
>>> index 96a4ff1..eb0e766 100644
>>> --- a/libselinux/src/label.c
>>> +++ b/libselinux/src/label.c
>>> @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
>>>   CONFIG_X_BACKEND(selabel_x_init),
>>>   CONFIG_DB_BACKEND(selabel_db_init),
>>>   _property_init,
>>> + _service_init,
>>
>> Wondering if we should support selective enablement of the property and
>> service backends too, similar to what William introduced for media, x,
>> and db so that he could disable them on Android (in our case, so we can
>> disable property and service backends on Linux distributions).
> 
> I was wondering that too, im for it. If ANDROID_HOST patch is applied, we
> should just set the defaults to strip them out and only on ANDROID_HOST=y
> add them in.
> 
> We'd also need to coordinate with the AOSP patches, but I can
> routinely update those
> based on whats going on.

I could be wrong, but I think we only need the property and service
backends on the target, not on the build host.  The file backend is
needed on the build host to label the filesystem images when they are
created.  We are likely only building the property backend on the host
because we don't allow conditionally excluding it presently.

OTOH, being able to look things up on the build host could be useful
from a development POV, e.g. if you were to add utils/selabel_lookup to
the build host targets and kept the property and service backends in the
host libselinux, then one could check what would match a given key.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH v3] libselinux: add ANDROID_HOST=y build option

2016-09-28 Thread william . c . roberts

From: William Roberts 

To build the selinux host configuration, specify
ANDROID_HOST=y on the Make command line.

eg)
make ANDROID_HOST=y
---
 libselinux/Makefile   | 6 +-
 libselinux/src/Makefile   | 8 
 libselinux/utils/Makefile | 4 
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/libselinux/Makefile b/libselinux/Makefile
index cec2943..f607115 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -2,13 +2,17 @@ SUBDIRS = src include utils man
 
 DISABLE_SETRANS ?= n
 DISABLE_RPM ?= y
+ANDROID_HOST ?= n
+ifeq ($(ANDROID_HOST),y)
+   override DISABLE_SETRANS=y
+endif
 ifeq ($(DISABLE_RPM),y)
DISABLE_FLAGS+= -DDISABLE_RPM
 endif
 ifeq ($(DISABLE_SETRANS),y)
DISABLE_FLAGS+= -DDISABLE_SETRANS
 endif
-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
 
 USE_PCRE2 ?= n
 ifeq ($(USE_PCRE2),y)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 7bf11a8..2c61fad 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -81,6 +81,14 @@ ifneq (,$(filter i386,$(ARCH)))
 TLSFLAGS += -mno-tls-direct-seg-refs
 endif
 
+ifeq ($(ANDROID_HOST),y)
+DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
+   -DBUILD_HOST
+SRCS= callbacks.c freecon.c label.c label_file.c \
+   label_android_property.c regex.c label_support.c \
+   matchpathcon.c setrans_client.c sha1.c
+endif
+
 SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
 
 SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 7898c08..e56a953 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -28,7 +28,11 @@ override CFLAGS += -I../include -I$(INCLUDEDIR) 
-D_GNU_SOURCE $(DISABLE_FLAGS) $
 LDLIBS += -L../src -lselinux -L$(LIBDIR)
 PCRE_LDFLAGS ?= -lpcre
 
+ifeq ($(ANDROID_HOST),y)
+TARGETS=sefcontext_compile
+else
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+endif
 
 sefcontext_compile: LDLIBS += $(PCRE_LDFLAGS) ../src/libselinux.a -lsepol
 
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH] libselinux: android: fix lax service context lookup

2016-09-28 Thread Janis Danisevskis

We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.

This patch introduces a stricter lookup function for
services contexts. Now the service name must match
the key of the service label exactly.

Signed-off-by: Janis Danisevskis 
---
 libselinux/include/selinux/label.h  |  2 ++
 libselinux/src/label.c  |  1 +
 libselinux/src/label_android_property.c | 50 +
 libselinux/src/label_internal.h |  3 ++
 4 files changed, 56 insertions(+)

diff --git a/libselinux/include/selinux/label.h 
b/libselinux/include/selinux/label.h
index f0b1e10..277287e 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -34,6 +34,8 @@ struct selabel_handle;
 #define SELABEL_CTX_DB 3
 /* Android property service contexts */
 #define SELABEL_CTX_ANDROID_PROP 4
+/* Android service contexts */
+#define SELABEL_CTX_ANDROID_SERVICE 5
 
 /*
  * Available options
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index 96a4ff1..eb0e766 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
CONFIG_X_BACKEND(selabel_x_init),
CONFIG_DB_BACKEND(selabel_db_init),
_property_init,
+   _service_init,
 };
 
 static void selabel_subs_fini(struct selabel_sub *ptr)
diff --git a/libselinux/src/label_android_property.c 
b/libselinux/src/label_android_property.c
index 290b438..69d6afd 100644
--- a/libselinux/src/label_android_property.c
+++ b/libselinux/src/label_android_property.c
@@ -279,6 +279,38 @@ finish:
return ret;
 }
 
+static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec,
+   const char *key, int __attribute__((unused)) type)
+{
+   struct saved_data *data = (struct saved_data *)rec->data;
+   spec_t *spec_arr = data->spec_arr;
+   unsigned int i;
+   struct selabel_lookup_rec *ret = NULL;
+
+   if (!data->nspec) {
+   errno = ENOENT;
+   goto finish;
+   }
+
+   for (i = 0; i < data->nspec; i++) {
+   if (strcmp(spec_arr[i].property_key, key) == 0)
+   break;
+   if (strcmp(spec_arr[i].property_key, "*") == 0)
+   break;
+   }
+
+   if (i >= data->nspec) {
+   /* No matching specification. */
+   errno = ENOENT;
+   goto finish;
+   }
+
+   ret = _arr[i].lr;
+
+finish:
+   return ret;
+}
+
 static void stats(struct selabel_handle __attribute__((unused)) *rec)
 {
selinux_log(SELINUX_WARNING, "'stats' functionality not 
implemented.\n");
@@ -302,3 +334,21 @@ int selabel_property_init(struct selabel_handle *rec,
 
return init(rec, opts, nopts);
 }
+
+int selabel_service_init(struct selabel_handle *rec,
+   const struct selinux_opt *opts, unsigned nopts)
+{
+   struct saved_data *data;
+
+   data = (struct saved_data *)malloc(sizeof(*data));
+   if (!data)
+   return -1;
+   memset(data, 0, sizeof(*data));
+
+   rec->data = data;
+   rec->func_close = 
+   rec->func_stats = 
+   rec->func_lookup = _lookup;
+
+   return init(rec, opts, nopts);
+}
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 7c55531..6a9481a 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -39,6 +39,9 @@ int selabel_db_init(struct selabel_handle *rec,
 int selabel_property_init(struct selabel_handle *rec,
const struct selinux_opt *opts,
unsigned nopts) hidden;
+int selabel_service_init(struct selabel_handle *rec,
+   const struct selinux_opt *opts,
+   unsigned nopts) hidden;
 
 /*
  * Labeling internal structures
-- 
2.8.0.rc3.226.g39d4020

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH 2/2] libselinux: set DISABLE_RPM default to y.

2016-09-28 Thread Stephen Smalley

On 09/28/2016 12:00 PM, william.c.robe...@intel.com wrote:
> From: William Roberts 
> 
> Change the default build behavior to always use DISABLE_RPM.
> To get the old behavior call make with DISABLE_RPM=n.
> 
> eg.)
> make DISABLE_RPM=n

Thanks, applied both.  We'll see if anyone complains about this one and
revert if necessary.

> 
> Signed-off-by: William Roberts 
> ---
>  libselinux/Makefile | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index 41d836c..cec2943 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -1,7 +1,7 @@
>  SUBDIRS = src include utils man
>  
>  DISABLE_SETRANS ?= n
> -DISABLE_RPM ?= n
> +DISABLE_RPM ?= y
>  ifeq ($(DISABLE_RPM),y)
>   DISABLE_FLAGS+= -DDISABLE_RPM
>  endif
> 

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: fix unused variable error

2016-09-28 Thread Stephen Smalley

On 09/28/2016 11:53 AM, william.c.robe...@intel.com wrote:
> From: William Roberts 
> 
> When building for Android, this error manifests itself:
> 
> label_file.c:570:7: error: unused variable ‘subs_file’ 
> [-Werror=unused-variable]
>   char subs_file[PATH_MAX + 1];
> 
> Fix it by moving the variable into the ifdef'd usage block.

Thanks, applied.

> 
> Signed-off-by: William Roberts 
> ---
>  libselinux/src/label_file.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index adf3dcc..a4dc3cd 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -567,7 +567,6 @@ static int init(struct selabel_handle *rec, const struct 
> selinux_opt *opts,
>   struct saved_data *data = (struct saved_data *)rec->data;
>   const char *path = NULL;
>   const char *prefix = NULL;
> - char subs_file[PATH_MAX + 1];
>   int status = -1, baseonly = 0;
>  
>   /* Process arguments */
> @@ -585,6 +584,7 @@ static int init(struct selabel_handle *rec, const struct 
> selinux_opt *opts,
>   }
>  
>  #if !defined(BUILD_HOST) && !defined(ANDROID)
> + char subs_file[PATH_MAX + 1];
>   /* Process local and distribution substitution files */
>   if (!path) {
>   rec->dist_subs =
> 

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: fix unused variable error

2016-09-28 Thread William Roberts

On Wed, Sep 28, 2016 at 11:53 AM,   wrote:
> From: William Roberts 
>
> When building for Android, this error manifests itself:
>
> label_file.c:570:7: error: unused variable ‘subs_file’ 
> [-Werror=unused-variable]
>   char subs_file[PATH_MAX + 1];
>

FYI this just happened when building with ANDROID_HOST=y on my
development branch, so I am
assuming some Makefile change introduced a hard error on it... inside
the android tree, it was still
building, without even printing a warning as well.

> Fix it by moving the variable into the ifdef'd usage block.
>
> Signed-off-by: William Roberts 
> ---
>  libselinux/src/label_file.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index adf3dcc..a4dc3cd 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -567,7 +567,6 @@ static int init(struct selabel_handle *rec, const struct 
> selinux_opt *opts,
> struct saved_data *data = (struct saved_data *)rec->data;
> const char *path = NULL;
> const char *prefix = NULL;
> -   char subs_file[PATH_MAX + 1];
> int status = -1, baseonly = 0;
>
> /* Process arguments */
> @@ -585,6 +584,7 @@ static int init(struct selabel_handle *rec, const struct 
> selinux_opt *opts,
> }
>
>  #if !defined(BUILD_HOST) && !defined(ANDROID)
> +   char subs_file[PATH_MAX + 1];
> /* Process local and distribution substitution files */
> if (!path) {
> rec->dist_subs =
> --
> 1.9.1
>
> ___
> Seandroid-list mailing list
> Seandroid-list@tycho.nsa.gov
> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to 
> seandroid-list-requ...@tycho.nsa.gov.

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 2/2] libselinux: set DISABLE_RPM default to y.

2016-09-28 Thread william . c . roberts

From: William Roberts 

Change the default build behavior to always use DISABLE_RPM.
To get the old behavior call make with DISABLE_RPM=n.

eg.)
make DISABLE_RPM=n

Signed-off-by: William Roberts 
---
 libselinux/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/Makefile b/libselinux/Makefile
index 41d836c..cec2943 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -1,7 +1,7 @@
 SUBDIRS = src include utils man
 
 DISABLE_SETRANS ?= n
-DISABLE_RPM ?= n
+DISABLE_RPM ?= y
 ifeq ($(DISABLE_RPM),y)
DISABLE_FLAGS+= -DDISABLE_RPM
 endif
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 1/2] libselinux: rename EMFLAGS to DISABLE_FLAGS

2016-09-28 Thread william . c . roberts

From: William Roberts 

Change EMFLAGS variable, used for setting additional CFLAGS
to DISABLE_FLAGS, to indicate its usage better.

Signed-off-by: William Roberts 
---
 libselinux/Makefile   | 6 +++---
 libselinux/src/Makefile   | 6 +++---
 libselinux/utils/Makefile | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/libselinux/Makefile b/libselinux/Makefile
index bfeb4b8..41d836c 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -3,12 +3,12 @@ SUBDIRS = src include utils man
 DISABLE_SETRANS ?= n
 DISABLE_RPM ?= n
 ifeq ($(DISABLE_RPM),y)
-   EMFLAGS+= -DDISABLE_RPM
+   DISABLE_FLAGS+= -DDISABLE_RPM
 endif
 ifeq ($(DISABLE_SETRANS),y)
-   EMFLAGS+= -DDISABLE_SETRANS
+   DISABLE_FLAGS+= -DDISABLE_SETRANS
 endif
-export DISABLE_SETRANS DISABLE_RPM EMFLAGS
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS
 
 USE_PCRE2 ?= n
 ifeq ($(USE_PCRE2),y)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index d8a79b4..7bf11a8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -69,7 +69,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security 
-Winit-self -Wmissi
 
 PCRE_LDFLAGS ?= -lpcre
 
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) 
$(PCRE_CFLAGS)
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(DISABLE_FLAGS) 
$(PCRE_CFLAGS)
 
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable 
-Wno-unused-parameter \
-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes 
-Wno-missing-declarations
@@ -81,9 +81,9 @@ ifneq (,$(filter i386,$(ARCH)))
 TLSFLAGS += -mno-tls-direct-seg-refs
 endif
 
-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(EMFLAGS)
+SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
 
-SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(EMFLAGS)
+SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
 
 all: $(LIBA) $(LIBSO) $(LIBPC)
 
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 0708d6d..7898c08 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -24,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security 
-Winit-self -Wmissi
   -fasynchronous-unwind-tables -fdiagnostics-show-option 
-funit-at-a-time \
   -fipa-pure-const -Wno-suggest-attribute=pure 
-Wno-suggest-attribute=const \
   -Werror -Wno-aggregate-return -Wno-redundant-decls
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) 
$(PCRE_CFLAGS)
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(DISABLE_FLAGS) 
$(PCRE_CFLAGS)
 LDLIBS += -L../src -lselinux -L$(LIBDIR)
 PCRE_LDFLAGS ?= -lpcre
 
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH] libselinux: fix unused variable error

2016-09-28 Thread william . c . roberts

From: William Roberts 

When building for Android, this error manifests itself:

label_file.c:570:7: error: unused variable ‘subs_file’ [-Werror=unused-variable]
  char subs_file[PATH_MAX + 1];

Fix it by moving the variable into the ifdef'd usage block.

Signed-off-by: William Roberts 
---
 libselinux/src/label_file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index adf3dcc..a4dc3cd 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -567,7 +567,6 @@ static int init(struct selabel_handle *rec, const struct 
selinux_opt *opts,
struct saved_data *data = (struct saved_data *)rec->data;
const char *path = NULL;
const char *prefix = NULL;
-   char subs_file[PATH_MAX + 1];
int status = -1, baseonly = 0;
 
/* Process arguments */
@@ -585,6 +584,7 @@ static int init(struct selabel_handle *rec, const struct 
selinux_opt *opts,
}
 
 #if !defined(BUILD_HOST) && !defined(ANDROID)
+   char subs_file[PATH_MAX + 1];
/* Process local and distribution substitution files */
if (!path) {
rec->dist_subs =
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH 3/3] libselinux: drop DISABLE_BOOL=y option

2016-09-28 Thread Stephen Smalley

On 09/28/2016 11:26 AM, william.c.robe...@intel.com wrote:
> From: William Roberts 
> 
> Build option DISABLE_BOOL=y is not being used, and is broken, drop it.
> 
> Signed-off-by: William Roberts 

Thanks, applied all three.  At some point we might want to rename
EMFLAGS (presumably short for embedded flags) to DISABLE_FLAGS or similar.

> ---
>  libselinux/Makefile  | 6 +-
>  libselinux/src/Makefile  | 6 +-
>  libselinux/src/load_policy.c | 2 --
>  libselinux/utils/Makefile| 5 -
>  4 files changed, 2 insertions(+), 17 deletions(-)
> 
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index c96695d..bfeb4b8 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -2,17 +2,13 @@ SUBDIRS = src include utils man
>  
>  DISABLE_SETRANS ?= n
>  DISABLE_RPM ?= n
> -DISABLE_BOOL ?= n
> -ifeq ($(DISABLE_BOOL),y)
> - EMFLAGS+= -DDISABLE_BOOL
> -endif
>  ifeq ($(DISABLE_RPM),y)
>   EMFLAGS+= -DDISABLE_RPM
>  endif
>  ifeq ($(DISABLE_SETRANS),y)
>   EMFLAGS+= -DDISABLE_SETRANS
>  endif
> -export DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
> +export DISABLE_SETRANS DISABLE_RPM EMFLAGS
>  
>  USE_PCRE2 ?= n
>  ifeq ($(USE_PCRE2),y)
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 8cfdf34..d8a79b4 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -41,12 +41,8 @@ LIBSO=$(TARGET).$(LIBVERSION)
>  AUDIT2WHYLOBJ=$(PYPREFIX)audit2why.lo
>  AUDIT2WHYSO=$(PYPREFIX)audit2why.so
>  
> -ifeq ($(DISABLE_BOOL),y)
> - UNUSED_SRCS+=booleans.c
> -endif
> -
>  GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
> -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort 
> $(wildcard *.c)))
> +SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
>  
>  MAX_STACK_SIZE=32768
>  
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index 249f82f..b7e1a6f 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -256,7 +256,6 @@ checkbool:
>   }
>   }
>   
> -#ifndef DISABLE_BOOL
>   if (preservebools) {
>   int *values, len, i;
>   char **names;
> @@ -279,7 +278,6 @@ checkbool:
>   (void)genbools(data, size,
>  (char *)selinux_booleans_path());
>   }
> -#endif
>   }
>  
>  
> diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
> index 9ec928b..0708d6d 100644
> --- a/libselinux/utils/Makefile
> +++ b/libselinux/utils/Makefile
> @@ -36,11 +36,6 @@ sefcontext_compile: sefcontext_compile.o ../src/regex.o
>  
>  selinux_restorecon: LDLIBS += -lsepol
>  
> -ifeq ($(DISABLE_BOOL),y)
> - UNUSED_TARGETS+=getsebool togglesebool
> -endif
> -TARGETS:= $(filter-out $(UNUSED_TARGETS), $(TARGETS))
> -
>  all: $(TARGETS)
>  
>  install: all
> 

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 2/3] libselinux: drop DISABLE_AVC=y

2016-09-28 Thread william . c . roberts

From: William Roberts 

Remove build config DISABLE_AVC, it is unused and broken.

Signed-off-by: William Roberts 
---
 libselinux/Makefile   | 6 +-
 libselinux/src/Makefile   | 3 ---
 libselinux/src/mapping.h  | 7 ---
 libselinux/utils/Makefile | 3 ---
 4 files changed, 1 insertion(+), 18 deletions(-)

diff --git a/libselinux/Makefile b/libselinux/Makefile
index d1532e8..c96695d 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -1,12 +1,8 @@
 SUBDIRS = src include utils man
 
-DISABLE_AVC ?= n
 DISABLE_SETRANS ?= n
 DISABLE_RPM ?= n
 DISABLE_BOOL ?= n
-ifeq ($(DISABLE_AVC),y)
-   EMFLAGS+= -DDISABLE_AVC
-endif
 ifeq ($(DISABLE_BOOL),y)
EMFLAGS+= -DDISABLE_BOOL
 endif
@@ -16,7 +12,7 @@ endif
 ifeq ($(DISABLE_SETRANS),y)
EMFLAGS+= -DDISABLE_SETRANS
 endif
-export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
+export DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
 
 USE_PCRE2 ?= n
 ifeq ($(USE_PCRE2),y)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 36e42b8..8cfdf34 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -41,9 +41,6 @@ LIBSO=$(TARGET).$(LIBVERSION)
 AUDIT2WHYLOBJ=$(PYPREFIX)audit2why.lo
 AUDIT2WHYSO=$(PYPREFIX)audit2why.so
 
-ifeq ($(DISABLE_AVC),y)
-   UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c mapping.c stringrep.c 
checkAccess.c
-endif
 ifeq ($(DISABLE_BOOL),y)
UNUSED_SRCS+=booleans.c
 endif
diff --git a/libselinux/src/mapping.h b/libselinux/src/mapping.h
index b96756b..22a4cca 100644
--- a/libselinux/src/mapping.h
+++ b/libselinux/src/mapping.h
@@ -31,11 +31,4 @@ map_perm(security_class_t tclass, access_vector_t kperm);
 extern void
 map_decision(security_class_t tclass, struct av_decision *avd);
 
-/*mapping is not used for embedded build*/
-#ifdef DISABLE_AVC 
-#define unmap_perm(x,y) y
-#define unmap_class(x) x
-#define map_decision(x,y) 
-#endif
-
 #endif /* _SELINUX_MAPPING_H_ */
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 1943bef..9ec928b 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -36,9 +36,6 @@ sefcontext_compile: sefcontext_compile.o ../src/regex.o
 
 selinux_restorecon: LDLIBS += -lsepol
 
-ifeq ($(DISABLE_AVC),y)
-   UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel
-endif
 ifeq ($(DISABLE_BOOL),y)
UNUSED_TARGETS+=getsebool togglesebool
 endif
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

2016-09-28 Thread Janis Danisevskis

The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.

Signed-off-by: Janis Danisevskis 
---
 libselinux/utils/sefcontext_compile.c | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index 8c48d32..b2746c7 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -276,10 +276,12 @@ static void usage(const char *progname)
" will be fc_file with the .bin suffix appended.\n\t"
"-p   Optional binary policy file that will be used to\n\t"
" validate contexts defined in the fc_file.\n\t"
-   "-r   Include precompiled regular expressions in the 
output.\n\t"
+   "-r   Omit precompiled regular expressions from the output.\n\t"
" (PCRE2 only. Compiled PCRE2 regular expressions are\n\t"
-   " not portable across architectures. When linked 
against\n\t"
-   " PCRE this flag is ignored)\n\t"
+   " not portable across architectures. Use this flag\n\t"
+   " if you know that you build for an incompatible\n\t"
+   " architecture to save space. When linked against\n\t"
+   " PCRE1 this flag is ignored.)\n\t"
"-i   Print regular expression info end exit. That is, back\n\t"
" end version and architecture identifier.\n\t"
" Arch identifier format (PCRE2):\n\t"
@@ -294,7 +296,7 @@ int main(int argc, char *argv[])
 {
const char *path = NULL;
const char *out_file = NULL;
-   int do_write_precompregex = 0;
+   int do_write_precompregex = 1;
char stack_path[PATH_MAX + 1];
char *tmp = NULL;
int fd, rc, opt;
@@ -315,7 +317,7 @@ int main(int argc, char *argv[])
policy_file = optarg;
break;
case 'r':
-   do_write_precompregex = 1;
+   do_write_precompregex = 0;
break;
case 'i':
printf("%s (%s)\n", regex_version(),
-- 
2.8.0.rc3.226.g39d4020

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH 1/3] libselinux: Add architecture string to file_context.bin

2016-09-28 Thread Janis Danisevskis

The only change with respect to the first set of patches is the new default
"reg_arch_matches = 0".


On Wed, Sep 28, 2016 at 11:28 AM, Janis Danisevskis 
wrote:

> Serialized precompiled regular expressins are architecture
> dependent when using PCRE2. This patch
> - bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
> - adds a field to the output indicating the architecture
>   compatibility.
>
> libselinux can cope with an architecture mismatch by
> ignoring the precompiled data in the input file and recompiling
> the regular expressions at runtime. It can also load older
> versions of file_contexts.bin if they where built with
> sefcontext_compile using the exact same version of the
> pcre1/2 as selinux.
>
> Signed-off-by: Janis Danisevskis 
> ---
>  libselinux/src/label_file.c   | 43 +-
>  libselinux/src/label_file.h   |  4 ++-
>  libselinux/src/regex.c| 50 ++
> ++---
>  libselinux/src/regex.h| 15 ++-
>  libselinux/utils/sefcontext_compile.c | 13 +
>  5 files changed, 119 insertions(+), 6 deletions(-)
>
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index 7156825..13e05c1 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -126,6 +126,8 @@ static int load_mmap(FILE *fp, size_t len, struct
> selabel_handle *rec,
> uint32_t i, magic, version;
> uint32_t entry_len, stem_map_len, regex_array_len;
> const char *reg_version;
> +   const char *reg_arch;
> +   char reg_arch_matches = 0;
>
> mmap_area = malloc(sizeof(*mmap_area));
> if (!mmap_area) {
> @@ -159,6 +161,10 @@ static int load_mmap(FILE *fp, size_t len, struct
> selabel_handle *rec,
> if (!reg_version)
> return -1;
>
> +   reg_arch = regex_arch_string();
> +   if (!reg_arch)
> +   return -1;
> +
> if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) {
>
> len = strlen(reg_version);
> @@ -188,7 +194,42 @@ static int load_mmap(FILE *fp, size_t len, struct
> selabel_handle *rec,
> return -1;
> }
> free(str_buf);
> +
> +   if (version >= SELINUX_COMPILED_FCONTEXT_REGEX_ARCH) {
> +   len = strlen(reg_arch);
> +
> +   rc = next_entry(_len, mmap_area,
> +   sizeof(uint32_t));
> +   if (rc < 0)
> +   return -1;
> +
> +   /* Check arch string lengths */
> +   if (len != entry_len) {
> +   /*
> +* Skip the entry and conclude that we have
> +* a mismatch, which is not fatal.
> +*/
> +   next_entry(NULL, mmap_area, entry_len);
> +   goto end_arch_check;
> +   }
> +
> +   /* Check if arch string mismatch */
> +   str_buf = malloc(entry_len + 1);
> +   if (!str_buf)
> +   return -1;
> +
> +   rc = next_entry(str_buf, mmap_area, entry_len);
> +   if (rc < 0) {
> +   free(str_buf);
> +   return -1;
> +   }
> +
> +   str_buf[entry_len] = '\0';
> +   reg_arch_matches = strcmp(str_buf, reg_arch) == 0;
> +   free(str_buf);
> +   }
> }
> +end_arch_check:
>
> /* allocate the stems_data array */
> rc = next_entry(_map_len, mmap_area, sizeof(uint32_t));
> @@ -349,7 +390,7 @@ static int load_mmap(FILE *fp, size_t len, struct
> selabel_handle *rec,
> spec->prefix_len = prefix_len;
> }
>
> -   rc = regex_load_mmap(mmap_area, >regex);
> +   rc = regex_load_mmap(mmap_area, >regex,
> reg_arch_matches);
> if (rc < 0)
> goto out;
>
> diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
> index 88f4294..00c0a5c 100644
> --- a/libselinux/src/label_file.h
> +++ b/libselinux/src/label_file.h
> @@ -24,8 +24,10 @@
>  #define SELINUX_COMPILED_FCONTEXT_PCRE_VERS2
>  #define SELINUX_COMPILED_FCONTEXT_MODE 3
>  #define SELINUX_COMPILED_FCONTEXT_PREFIX_LEN   4
> +#define SELINUX_COMPILED_FCONTEXT_REGEX_ARCH   5
>
> -#define SELINUX_COMPILED_FCONTEXT_MAX_VERS SELINUX_COMPILED_FCONTEXT_
> PREFIX_LEN
> +#define SELINUX_COMPILED_FCONTEXT_MAX_VERS \
> +   SELINUX_COMPILED_FCONTEXT_REGEX_ARCH
>
>  /* A file security context specification. */
>  struct spec {
> diff --git a/libselinux/src/regex.c

Re: [RFC] Build ANDROID_HOST=y on mac

Re: [RFC] Build ANDROID_HOST=y on mac

Re: [RFC] Build ANDROID_HOST=y on mac

Re: [RFC] Build ANDROID_HOST=y on mac

[RFC] Build ANDROID_HOST=y on mac

Re: [PATCH] libselinux: android: fix lax service context lookup

Re: [PATCH] libselinux: android: fix lax service context lookup

Re: [PATCH] libselinux: android: fix lax service context lookup

Re: [PATCH] libselinux: android: fix lax service context lookup

Re: [PATCH] libselinux: android: fix lax service context lookup

[PATCH v3] libselinux: add ANDROID_HOST=y build option

[PATCH] libselinux: android: fix lax service context lookup

Re: [PATCH 2/2] libselinux: set DISABLE_RPM default to y.

Re: [PATCH] libselinux: fix unused variable error

Re: [PATCH] libselinux: fix unused variable error

[PATCH 2/2] libselinux: set DISABLE_RPM default to y.

[PATCH 1/2] libselinux: rename EMFLAGS to DISABLE_FLAGS

[PATCH] libselinux: fix unused variable error

Re: [PATCH 3/3] libselinux: drop DISABLE_BOOL=y option

[PATCH 2/3] libselinux: drop DISABLE_AVC=y

[PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

Re: [PATCH 1/3] libselinux: Add architecture string to file_context.bin

22 matches

Site Navigation

Mail list logo

Footer information